Exporting a security policy using the export utility

To export the settings included in a security policy, you can use the kics4net-cli security policy export utility. The utility exports the entire security policy to a file in a specified directory. When necessary, you can then import the relevant application settings from the file containing the saved security policy.

The utility is automatically installed at /opt/kaspersky/kics4net-cli/bin/ on the Server computer. You can use built-in operating system tools to configure kics4net-cli to run automatically to create regular security policy backups.

The utility connects to the application Server via a connector added to the application.

To prepare the application for using the security policy export utility, do as follows:

  1. In the application, add the connector to be used by the security policy export utility to connect to the application Server. Specify the Generic system type for the connector.

    The application generates a new communication data package after the connector is added. The communication data package is an archive.

  2. On the computer with kics4net-cli installed, prepare a directory to apply the contents of the communication data package.

    To prepare the directory:

    1. Create a random directory and copy the communication data package to it.
    2. Go to the folder containing the communication data package copy and enter the following command to unpack it:

      unzip <communication data package name >

      The unpacked files will appear in the directory.

    3. Enter the following command to create a clientcert.crt certificate file:

      sudo openssl pkcs12 -in certificates.pfx -nodes -clcerts -nokeys -out clientcert.crt

      When prompted for a password, enter the password to access the connector certificate. This is the password you set when adding the connector or when creating the new communication data package for the connector.

    4. Enter the following command to create a clientcert.key file:

      sudo openssl pkcs12 -in certificates.pfx -nocerts -nodes -out clientcert.key

      When prompted for a password, enter the password to access the connector certificate.

    5. Enter the following command to copy webserver.pem to the kics4net-cli certificates directory /var/opt/kaspersky/kics4net-cli/certs/:

      sudo cp webserver.pem /var/opt/kaspersky/kics4net-cli/certs

  3. On the computer with kics4net-cli installed, prepare a directory to save the exported files.

    To prepare the directory:

    1. Make a random directory. To save files to a network share via your computer's local file system, you can use the directory to save files to the network share.
    2. If the directory is not nested inside /var/opt/kaspersky/kics4net/shared/, assign the kics4net user as the owner. To do so, enter the following command:

      sudo chown kics4net:kics4net <directory path>

To export the current security policy:

  1. On the computer with kics4net-cli installed, open the operating system console and go to /opt/kaspersky/kics4net-cli/bin/.
  2. Enter the following command in the command line:

    sudo ./kics4net-cli exec exportsecuritypolicy\
    --client-cert=<path to file clientcert.crt> \
    --client-key=<path to file clientcert.key> \
    --export-path=<path to directory to save files in > \
    --timeout=<timeout >

    where:

    • exec is the argument for running a command supported by the utility (mandatory parameter)
    • exportsecuritypolicy is the command for exporting a security policy to a file (mandatory parameter)
    • <path to file clientcert.crt> is the full path and name of the clientcert.crt certificate file in the directory to apply the contents of the communication data package to (mandatory parameter)
    • <path to file clientcert.key> is the full path and name of the clientcert.key file in the directory to apply the contents of the communication data package to (mandatory parameter)
    • <target directory> is the full path to the directory to save the exported file in (mandatory parameter)
    • <timeout> is the command execution result timeout in seconds (default 900 seconds), which can be increased via this parameter if the previous export attempt failed due to a large volume of data in the security policy.

      Example:

      sudo ./kics4net-cli exec exportsecuritypolicy --client-cert=/home/user1/certs/clientcert.crt --client-key=/home/user1/certs/clientcert.key --export-path=/var/opt/kaspersky/kics4net/shared/policy/

    After the utility finishes, verify that the files are in the target directory.

  3. If the resulting file has to be copied to another location, grant permission to copy the file. Only the owner has the permission by default. To grant the permission, enter the following command:

    sudo chmod o+r <path to policy file>

Page top